christopher's notes

windows update broke my tpm disk decryption

In a previous post, I set up an encrypted drive on my laptop that will automatically decrypt using keys stored in the TPM of that laptop.

This has been mostly working great for 8 months!! However, this is a dual boot machine, and a couple of times it has randomly broken after booting into Windows. Presumably this is due to Windows update changing some certificates in the secure boot chain.

If this happens, the TPM keys need to be re-enrolled. The easiest way to do that is:

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+12+14 --wipe-slot=tpm2 <encrypted device>


If you post a reply on another blog or social media, or just want to chat, email me! christopher@cg505.com